/*
* This the Otway-Rees Protocol (see Clark/Jacob, 6.3.2),
* using message tags to protect against the type flaw attack.
* The protocol allows the server S to generate a session key Kab for use
* by A and B.
*
* A -> B : Rid, A, B, { msg1 (Na,Rid,A,B) }Kas
* B -> S : Rid, A, B, { msg1 (Na,Rid,A,B) }Kas, { msg2 (Nb,Rid,A,B) }Kbs
* S -> B : Rid, { msg4(Na,Kab) }Kas, { msg3(Nb,Kab) }Kbs
* B -> A : Rid, { msg4(Na,Kab) }Kas
*
* Compare this protocol to Abadi and Needham's simplification,
* which we verify in or-simplified.cry. In comparison to the simplified
* version, the original contains a freshly generated run identifier Rid.
* The inclusion of the run identifier and the encryption of msg1 and msg2
* gives A the additional guarantee that B has been contacted as part of
* the protocol run Rid.
*
* The type analysis of the protocol exposes various redundancies: For
* instance, it is not necessary to send Rid as cleartext in the second,
* third and fourth message. Moreover, the inclusion of A in msg1 is
* redundant, as is the inclusion of B in msg2.
*
* Christian Haack, v1.1.0 2004/09/22
*/

public providing : Word;
public to : Word;
public in : Word;
public challenge : Word;
public response : Word;
public acknowledging : Word;
public being : Word;
public contacted : Word;
public as : Word;
public part : Word;
public of : Word;
public run : Word;

/*
* We assume that two principals are able to securely lookup their shared
* longterm keys. We formally express this by assuming the existence
* of a secure lookup function of the following dependent function type:
*/

fun lkupKey(p:Any,q:Any) : SharedKey(p,q);

/*
* The initiator.
*/

client Initiator
(a:Host, b:Host, s:Server, kas:SharedKey(a,s))
at a is
{
establish Responder at b is (socket:Socket);
new (rid : Public);
new ( nonceA : ChallengeAToS(a,b,rid) );
output socket is ( rid, a, b, { msg1(nonceA,rid,a,b) }kas );
input socket is ( rid, { msg4(nonceA,kab:Private) }kas )
[ begun(s providing kab to a in response to challenge nonceA),
!begun(b acknowledging to a being contacted as part of run rid) ];
end(s providing kab to a in response to challenge nonceA);
end(b acknowledging to a being contacted as part of run rid);
}